Hi, I'm Patrick, and I'm going to talk to you about Network Security Models. Traditional approaches to network security design are based on what is called a perimeter-based model. Although still relevant, perimeter-based security alone is insufficient in today's modern computing environment. A zero trust model enhances the perimeter-based security model by implementing important security concepts such as positive control, least privilege, and segmentation. Perimeter based network security models date back to the early mainframe era circle the late 1950s when large mainframe computers were located in physically secure machine rooms that could only be accessed by a relatively limited number of remote job entry RGE, or dumb terminals directly connected to the mainframe in the same room or nearby physically secure areas. Think Tom Cruise in Mission Impossible except the room and terminals are nowhere near as cool. Today as data centers are the modern equivalent of machine rooms but perimeter-based physical security is no longer sufficient for several obvious but important reasons. First, mainframe computers predate the Internet. In fact, mainframe computers predate ARPANET, which predates the Internet. Perimeter-based security worked well because there was no remote access. Remember, in the movie WarGames, Matthew Broderick's character was able to remote access a mainframe with a modem and a phone line. Today, an attacker uses the Internet to remotely gain access rather than physically breaching the data center perimeter. Second, data centers today are remotely accessed by literally millions of remote endpoint devices from anywhere at any time. Unlike the RGEs and the mainframe era, modern endpoints including mobile devices are far more powerful than many of the early mainframe computers and are targets themselves. Finally, the primary value of the mainframe computer was its processing power. The relatively limited data produced was typically stored on near-line media such as tape. Today, data is the target and it is stored online in data centers and the Cloud and has a high-value target for any attacker. The primary issue is the perimeter-centric network security strategy in which counter measures are deployed at the handful of well-defined ingress and egress points to the network is it relies on the assumption everything on the internal network can be trusted. However, this assumption is no longer safe given modern business conditions and computing environments where remote employees, mobile users, and Cloud computing solutions blur the distinction between internal and external. For instance, wireless technologies, the proliferation of partner connections, and the need to support guest users introduce countless additional pathways into the network, including branch offices that may be located in untrusted countries or regions and insiders. Whether intentionally malicious or just careless, may present a very real security threat. Perimeter-based approach strategies fail to account for the potential for sophisticated cyber threats to penetrate perimeter defenses which would allow free passage on the internal network once the only existing difference was breached. Scenarios where malicious users are able to gain access to the internal network and sensitive resources by using the stolen credentials of trusted users. The reality internal networks are really homogenous, but instead include pockets of users and resources with inherently different levels of trust or sensitivity and should ideally be separated. For example, Research and Development, financial systems versus Print and File servers. A broken trust model is not the only issue with perimeter-centric approaches to network security. Another contributing factor is traditional security devices and technologies commonly used to build network perimeters such as port-based firewalls led through too much and unwanted traffic. Typical shortcomings in this regard include the inability to definitively distinguish good applications from bad ones, which leads to overly permissive access control settings. To adequately account for encrypted application traffic, to accurately identify and control users regardless of where they're located or what devices they're using, or filter allow traffic not only for known application board threats but also the unknown ones. The net result is that we are contenting one's defenses in a way that creates pervasive internal trust boundaries is by itself insufficient. You must also ensure the devices and technologies used to implement these boundaries actually provide the visibility, control, and threat inspection capabilities needed to securely enable essential business applications while still thwarting modern malware, targeted attacks, and the unauthorized exploitation of sensitive data. First, introduced by Forrester Research. The Zero Trust security model addresses some of the limitations of perimeter-based network security strategies by removing the assumption of trust from the equation. With Zero Trust, essential security capabilities are deployed in a way that provides policy enforcement and protection for all users, devices, applications, data resources, and the communications traffic between them regardless of location. In particular, with Zero Trust, there is no default trustworthy entity, including users, devices, applications, and packets, regardless of what it is and its location on a relative to the enterprise network. In addition, verifying authorized entities are always doing only what they're allowed to do is no longer optional it's mandatory in a Zero Trust model. The implications for these two changes are respectively. One, the need to establish trust boundaries that effectively compartmentalize different segments of the internal computing environment. The general idea is to move security functionality closer to the different pockets of resources required protection. This way can always be enforced, regardless of the point of origin of associated communications traffic. Two, the need for trust boundaries to do more than just initial authorization and access control enforcement to always verify also requires ongoing monitoring and inspection of associated communications traffic for subversive activities such as threats. The benefits of implementing a Zero Trust network include a clearly improved effectiveness in mitigating data loss with visibility and safe and implement of applications, detection, and prevention of cyber threats. A greater efficiency for achieving and maintaining compliance with security and privacy mandates using trust boundaries to segment sensitive application systems and data. An improved ability to securely enable transformative I.T. initiatives such as user mobility, BYOD BYOA, infrastructure virtualization, and Cloud computing, and the total cost of ownership. A total lower cost of ownership with a consolidated and fully integrated next-generation security platform rather than a disparate array of siloed, purpose-built security point products. In this video, we talked about the Perimeter-based Security Model and the Zero Trust security model. In part two, we'll talk about Zero Trust Security Model core principles, criteria, and architecture.
